ctipilot.ch

2026-06-10-c84347b2

One pipeline fire, in full · intel run of 2026-06-10 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-10/2026-06-10-c84347b2.md.

Run telemetry

2026-06-10-c84347b2 intel prompt v2.60
37m 51s duration 20 published 2 updates
unknown (unknown) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
34m 18s
Tool calls
8 WebFetch0 WebSearch22 bridge
Cited sources
7 of 14 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
41m 07s
Tool calls
3 WebFetch5 WebSearch22 bridge
Cited sources
3 of 11 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
11
Duration
56m 56s
Tool calls
18 WebFetch2 WebSearch14 bridge
Cited sources
8 of 13 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
2
Duration
70m 48s
Tool calls
18 WebFetch28 WebSearch14 bridge
Cited sources
4 of 11 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 · t=3 e=0 a=5 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=0 a=0 #3 CLEAN · Claude Opus 4.8 · t=0 e=0 a=1

Deep dive

2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/bridge:urlbridge:wayback403 transport-403
fetch_source: upstream HTTP 403 for https://databreaches.net/
WebSearch fallback; Wayback only 24-byte placeholder; key stories found via BleepingComputer/TheRecord
sec-disclosures-edgarhttps://efts.sec.gov/LATEST/search-index?q=%22Item+1.05%22&forms=8-K&startdt=202bridge:sec-edgar500 transport-5xx
fetch_source: upstream HTTP 500 for EDGAR full-text search range query
Narrower 2026-06-09..10 range returned 0 qualifying Item 1.05 filings
sophos-xopshttps://news.sophos.com/feed/webfetchbridge:url503 transport-5xx
HTTP 503 on Sophos blog feeds (6th consecutive run)
none — transport block; covered indirectly via THN/Risky Biz

Bridge invocations (this run)

4 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

3 ok1 empty feed
  • bridge:ncsc-csh.recent ×1
  • bridge:cisa-kev ×1
  • bridge:bsi-csaf ×1
  • bridge:url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 3 findings (truth=3, editorial=0, advisory=5) · Claude Opus 4.8 · 5m 33s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
trending-vulnerabilitiesCVE-2026-44748 — SAP June Patch Day
SAP Note 3746332 (RFC kernel)
3746332 is the SAML note for CVE-2026-44748, not the RFC kernel note (3717897).Relabelled body so 3746332 = SAML XSW fix; removed RFC-kernel mislabel. fixed-clean
F3
claim-not-supported
trending-vulnerabilitiesTYPO3 core June release
CVE-2026-11607 cites SA-2026-006
CVE-2026-11607 lives in SA-2026-019; SA-006 covers CVE-2026-47344/47345.Renamed lead CVE to CVE-2026-47344 (matches cited SA-006) in heading/footer/table; rekeyed cves_seen + covered_items. fixed-clean
F13
analytical-link-as-fact
active-threatsTchap government messenger breach
federation-wide Matrix user-directory search to enumerate accounts
Enumeration mechanism stated as fact and mis-attributed to HNS; endpoint path in no source.Reframed as unverified attacker claim (HNS+Register), removed endpoint path, added to § 7 unverified-claims note. fixed-clean

Iteration #2 NEEDS_FIXES · 1 finding (truth=1, editorial=0, advisory=0) · Claude Sonnet 4.6 · 4m 38s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
trending-vulnerabilitiesCVE Summary Table — CVE-2026-27671
SAP Note 3746332
Table row for CVE-2026-27671 (RFC kernel) still cited SAML note 3746332; should be 3717897.Changed table Patch cell for CVE-2026-27671 to SAP Note 3717897. fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-10-c84347b2 · Anthropic Claude (specific model not determined) · 20 entries published

  • Coverage window: standard daily, 36 h (gap to prior brief 2026-06-09 = 24 h). No catch-up extension needed.
  • Immediate Action callout intentionally omitted. Ivanti Sentry CVE-2026-10520 (CVSS 10.0 pre-auth RCE, public PoC today) was the strongest candidate but has no confirmed in-the-wild exploitation or verified mass-scanning yet; per the callout bar ("if unsure, omit"), its urgency is surfaced in § 0 TL;DR, § 2 and § 6 instead.
  • Single-source items (named): § 3 Unit 42 cloud-logging defense-evasion, § 3 Red Canary Entra Agent ID OBO abuse, and § 3 Check Point TDS ecosystem are each single HIGH-reliability vendor primary research (flagged [SINGLE-SOURCE] in-heading). § 1 NCSC-CH Week 23 and § 4 CRA deadline are single-source national-CERT / EU-authority primary disclosures (PD-5 carve-out). § 5 Dragos Q1 2026 is single-source HIGH-reliability OT/ICS specialist research; victim attributions trace to Dragos.
  • Reduced confidence — aggregator-only sourcing: the § 1 Meta Instagram item rests on BleepingComputer and Security Affairs, which both relay Meta's Maine AG breach filing; the regulator filing is the underlying primary but was not directly retrievable in this run. Treat the 20,225 figure and the logic-flaw description as accurately relayed but not independently fetched from the filing.
  • Vendor-primary single-source CVE items: the Ivanti Sentry (CVE-2026-10520, watchTowr), Chrome V8 (CVE-2026-11645, Chrome Releases) and Arista EOS (CVE-2026-7473, Arista advisory) items each cite a single authoritative vendor/research primary; the Chrome and Arista entries are independently corroborated by their CISA KEV listing (the KEV catalog root is a hard-blocked Source URL, so it is referenced in prose rather than the footer).
  • Disclosure-only vulnerabilities (no confirmed ITW), included for CH/EU patch-prioritisation relevance: CVE-2026-47895 (strongSwan), CVE-2026-44963 (Veeam, authenticated), the SAP June notes, and the TYPO3 batch. Of today's § 2 CVEs only CVE-2026-11645 (Chrome) and CVE-2026-7473 (Arista) are KEV-listed/exploited; CVE-2026-10520 has a public PoC but no observed ITW. Patch-Tuesday CVEs not meeting the § 2 bar individually (e.g. CVE-2026-45586 CTFMON EoP) are referenced only as cluster context, not promoted to standalone items.
  • Gamaredon long-running-campaign rule: the Trend Micro WinRAR report (§ 3) is framed around the novel UAC-0226/GIFTEDCROOK and Earth Dahu angle and CVE-2025-8088 persistence, not a re-summary of the Gamaredon GammaPhish/GammaWorm/GammaSteel chain already covered 2026-06-02→2026-06-08 and in the W23 weekly.
  • Unverified actor claims flagged in-text: the Tchap attacker's directory-search enumeration method, the broader scrape figures (~643k messages, ~13.5 GB media) and the alleged unauthenticated media-retrieval bug are all attributed to the unverified actor (and reported by The Register as unverified claims), not stated as confirmed; DINUM's confirmed scope (73,467 agents; name/first-name/email/employing-entity/avatar) is what the brief reports as fact.
  • Contradictions: none material. Microsoft June CVE count is reported as 198 (Rapid7/Tenable enumeration); SANS ISC cites 204/38-critical and Microsoft's own roll-up differs slightly by counting methodology and Chromium inclusion — the brief uses the Rapid7/Tenable figure and notes the methodology gap rather than asserting a single count.
  • Sub-agents: all four (S1–S4, Claude Sonnet 4.6) returned within budget. New candidate source surfaced and added this run: InfoGuard Labs (labs.infoguard.ch), status candidate — the Ghost-Sender disclosing party. Socket.dev and Resecurity were also surfaced as candidates but held over (one-candidate-per-run cap).
  • Coverage gaps: databreaches-net (bridge HTTP 403 + Wayback placeholder only — 7th consecutive run failure, transport block not demotion); sec-disclosures-edgar (HTTP 500 on the 5–10 June range, narrower 9–10 June range returned 0 qualifying Item 1.05 filings); sophos-xops (HTTP 503, 6th consecutive run — transport block); greynoise (no usable RSS/bridge endpoint — Webflow SPA); trendmicro-research (article body JS-rendered; WinRAR story corroborated via The Hacker News); cert-fr-actualite (weekly-bulletin feed stale to 2025, avis current but no in-window additions). inside-it-ch RSS bridge route confirmed working this run (resolves the prior 404 gap); no in-window security incidents on the feed.

Unmatched action items (migrated)

  • Close Ghost-Sender on Exchange Online tenants using a third-party MX — there is no vendor patch: add a Partner/On-premises inbound connector requiring the gateway's TLS certificate or approved IPs, add a priority-0 transport rule rejecting mail not arriving via that connector, and verify Enhanced Filtering for Connectors is enabled. Hunt Message Trace for inbound mail on the Default Frontend connector. See § 1.
  • Harden the IT/OT boundary against ransomware — deny RMM tooling (AnyDesk, SimpleHelp, Atera, N-able, ScreenConnect) by default on OT-adjacent hosts and alert on execution; extend access controls to ICS engineering/integration vendors' remote paths. See § 5.
  • Audit developer and research endpoints for the Hades PyPI wave — hunt *-setup.pth creation under site-packages and Bun downloads from github.com/oven-sh/bun; pin dependencies and install with --ignore-scripts. See § 4.

Migrated from briefs/2026-06-10.md (v2).

← Operations dashboard · day page 2026-06-10 · run-record contract: docs/pipeline.md